Twitter support form breach exposes user data to unidentified IP addresses in Saudi Arabia and China

Twitter says that a bug in the support form leveraged the IP addresses in getting country code of people’s phone numbers. It suspects these addresses may have ties to state-sponsored actors.

Highlights:

Only the country code of phone numbers were exposed.

IP addresses originated from Saudi Arabia and China.

The issue has been fixed and potential victims have been notified.

Twitter has announced that one of its support forms, which is used by account holders to contact Twitter about issues with their account, was compromised and some user data was exposed to IP addresses originating from Saudi Arabia and China. Twitter says that it began working to resolve the issue on November 15 and it was fixed by November 16. The microblogging platform also says that no action is required by account holders.

advertisements

“This could be used to discover the country code of people’s phone numbers if they had one associated with their Twitter account, as well as whether or not their account had been locked by Twitter. Importantly, this issue did not expose full phone numbers or any other personal data. We have directly informed the people we identified as being affected. We are providing this broader notice as it is possible that other account holders we cannot identify were potentially impacted,” Twitter said in a statement.

Twitter generally locks an account if it appears to be compromised or in violation of the Twitter Rules or its Terms of Service. It says that since the company became aware of the issue, it has have been investigating the origins and background in order to provide you with as much information as possible. Twitter says that it observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia.

“While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors. We continue to err on the side of full transparency in this area and have updated law enforcement on our findings,” the platform noted. If you are one the affected person and have got a personal message, you can contact Twitter’s Data Protection Officer, Damien Kieran, by completing the online form here.

This is the second bug-related expose in a three month period. In September, Twitter announced that it has fixed a bug in its Account Activity API that, it suspected, have delivered users’ data to the wrong registered developer. This API allows registered developers to build tools to better support businesses and their communications with customers on the platform. Twitter also claimed that there was only one set of technical circumstances where this issue had occurred.